Sepulcher RAT targets European organizations and Tibetan groups
Chinese hackers are carrying out cyber espionage attacks using new malware tracked as Sepulcher. The cyberattacks targeted European economic, diplomatic, and legislative entities. The second round of malware attacks focused on Tibetan dissidents, and groups associated with Tibet.
Sepulcher is a remote access trojan (RAT) malware that is delivered via spear phishing email campaigns. The emails impersonate the World Health Organization (WHO) and contain COVID-19 related messaging.
The malware attacks occurred in two waves. The first round which began in March at the start of the pandemic targeted European Union officials. The second wave which launched in July targeted the Tibetan diaspora community. Both phases of the cyberattacks used phishing emails to infect victims’ computers with Sepulcher – a Trojan malware.
Advanced Persistent Threat Group TA413
The RAT malware is the work of the Chinese advanced persistent threat (APT) group tracked as TA413. The threat actor group is associated with ExileRAT malware and historically targets Tibetan dissidents. TA413 was first seen around 2012.
Sepulcher malware can harvest system information from the compromised computer – hard drives, file information, directory statistics, directory paths, directory content, running processes, and services. Says a report by cyber security researchers at Proofpoint. The RAT malware can also delete files and execute commands.
The phishing emails originate from a free Yahoo email account.
RELATED READ: What are Advanced Persistent Threat Groups?
Sepulcher Attack – March 2020
The March malware attacks began in March and targeted European Union entities involved with economic policy and forecasting. The phishing emails contained an email attachment named “Covdi.rtf.” If the target is fooled by the email and opened the attachment, it installed Sepulcher Trojan on their computer. The .rtf format file exploited a security vulnerability Microsoft’s Equation Editor to compromise the machine.
“This campaign’s specific focus on European economic, diplomatic, and legislative entities belies a possible momentary realignment for Chinese cyber espionage groups to collect information on global economies cast into upheaval as a result of COVID-19,” according to the Proofpoint report.
This is the first time that TA413 focused on targets in Europe.
Sepulcher Attack – July 2020
In July, the second round of malware attacks focused on Tibetan dissidents and groups associated with Tibet. The phishing email impersonated “Women’s Association Tibetan.” The malicious emails targeting Tibetan organizations contained a weaponized PowerPoint (PPSX) email attachment. If the victim opened the PowerPoint attachment malicious code downloaded Sepulcher malware to their computer.
“This method is used by a known variant of the Royal Road RTF weaponizer which is shared among numerous Chinese APT actors. The execution of the WMF file ultimately results in the delivery and installation of the previously unidentified Sepulcher malware, “ says the ProofPoint report.
APT TA413 typically target Tibetan diaspora.